e55ed4bd21848f12b76f39a4fdfd447dec40a23ff21a6669dd6072c6b967ac25

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5254ee4c7f095exeexeexeex.exe
Size

204KB
MD5

c5254ee4c7f0953d7d3ac0f129a608c4
SHA1

4b4c65d1c78ee586aa71f8d7202b742a18cff55d
SHA256

e55ed4bd21848f12b76f39a4fdfd447dec40a23ff21a6669dd6072c6b967ac25
SHA512

d4ecb9d3a97a20df2939f785f1c77da91ad1be50eaae0f9eea54d4d9a2352b72be21d216e1857a0197494bc8a160501b198a4d70c000d614836a5ac4ed9e1f15
SSDEEP

1536:1EGh0ofl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ofl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}	{D955F923-4041-4c55-851F-CD95E541801A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}\stubpath = "C:\\Windows\\{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe"	{D955F923-4041-4c55-851F-CD95E541801A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}	{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}	{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}\stubpath = "C:\\Windows\\{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe"	{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46F4AF35-D094-451a-A1CD-17B567B8C548}\stubpath = "C:\\Windows\\{46F4AF35-D094-451a-A1CD-17B567B8C548}.exe"	{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}	c5254ee4c7f095exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D955F923-4041-4c55-851F-CD95E541801A}	{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B53AD40-B848-4912-B33C-06EBD679B97D}	{46F4AF35-D094-451a-A1CD-17B567B8C548}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1B2E5C2-C63D-4488-B588-46E75FDBF289}\stubpath = "C:\\Windows\\{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe"	{39D5151C-AF83-405e-9602-0A3A425842D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1A11F70-FB0D-401a-B925-1A9376BCE73A}	{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B53AD40-B848-4912-B33C-06EBD679B97D}\stubpath = "C:\\Windows\\{6B53AD40-B848-4912-B33C-06EBD679B97D}.exe"	{46F4AF35-D094-451a-A1CD-17B567B8C548}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D5151C-AF83-405e-9602-0A3A425842D6}	{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1B2E5C2-C63D-4488-B588-46E75FDBF289}	{39D5151C-AF83-405e-9602-0A3A425842D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39D5151C-AF83-405e-9602-0A3A425842D6}\stubpath = "C:\\Windows\\{39D5151C-AF83-405e-9602-0A3A425842D6}.exe"	{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}	{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}\stubpath = "C:\\Windows\\{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe"	{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}\stubpath = "C:\\Windows\\{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe"	{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}	{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}\stubpath = "C:\\Windows\\{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe"	{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1A11F70-FB0D-401a-B925-1A9376BCE73A}\stubpath = "C:\\Windows\\{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe"	{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46F4AF35-D094-451a-A1CD-17B567B8C548}	{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}\stubpath = "C:\\Windows\\{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe"	c5254ee4c7f095exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D955F923-4041-4c55-851F-CD95E541801A}\stubpath = "C:\\Windows\\{D955F923-4041-4c55-851F-CD95E541801A}.exe"	{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe

Executes dropped EXE 12 IoCs

pid	Process
3736	{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe
2964	{D955F923-4041-4c55-851F-CD95E541801A}.exe
320	{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe
5052	{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe
3236	{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe
5064	{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe
3112	{39D5151C-AF83-405e-9602-0A3A425842D6}.exe
3712	{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe
1320	{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe
3052	{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe
2712	{46F4AF35-D094-451a-A1CD-17B567B8C548}.exe
2508	{6B53AD40-B848-4912-B33C-06EBD679B97D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D955F923-4041-4c55-851F-CD95E541801A}.exe	{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe
File created	C:\Windows\{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe	{D955F923-4041-4c55-851F-CD95E541801A}.exe
File created	C:\Windows\{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe	{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe
File created	C:\Windows\{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe	{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe
File created	C:\Windows\{46F4AF35-D094-451a-A1CD-17B567B8C548}.exe	{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe
File created	C:\Windows\{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe	c5254ee4c7f095exeexeexeex.exe
File created	C:\Windows\{39D5151C-AF83-405e-9602-0A3A425842D6}.exe	{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe
File created	C:\Windows\{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe	{39D5151C-AF83-405e-9602-0A3A425842D6}.exe
File created	C:\Windows\{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe	{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe
File created	C:\Windows\{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe	{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe
File created	C:\Windows\{6B53AD40-B848-4912-B33C-06EBD679B97D}.exe	{46F4AF35-D094-451a-A1CD-17B567B8C548}.exe
File created	C:\Windows\{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe	{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2824	c5254ee4c7f095exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3736	{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe
Token: SeIncBasePriorityPrivilege	2964	{D955F923-4041-4c55-851F-CD95E541801A}.exe
Token: SeIncBasePriorityPrivilege	320	{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe
Token: SeIncBasePriorityPrivilege	5052	{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe
Token: SeIncBasePriorityPrivilege	3236	{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe
Token: SeIncBasePriorityPrivilege	5064	{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe
Token: SeIncBasePriorityPrivilege	3112	{39D5151C-AF83-405e-9602-0A3A425842D6}.exe
Token: SeIncBasePriorityPrivilege	3712	{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe
Token: SeIncBasePriorityPrivilege	1320	{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe
Token: SeIncBasePriorityPrivilege	3052	{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe
Token: SeIncBasePriorityPrivilege	2712	{46F4AF35-D094-451a-A1CD-17B567B8C548}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 3736	2824	c5254ee4c7f095exeexeexeex.exe	84
PID 2824 wrote to memory of 3736	2824	c5254ee4c7f095exeexeexeex.exe	84
PID 2824 wrote to memory of 3736	2824	c5254ee4c7f095exeexeexeex.exe	84
PID 2824 wrote to memory of 2432	2824	c5254ee4c7f095exeexeexeex.exe	85
PID 2824 wrote to memory of 2432	2824	c5254ee4c7f095exeexeexeex.exe	85
PID 2824 wrote to memory of 2432	2824	c5254ee4c7f095exeexeexeex.exe	85
PID 3736 wrote to memory of 2964	3736	{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe	86
PID 3736 wrote to memory of 2964	3736	{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe	86
PID 3736 wrote to memory of 2964	3736	{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe	86
PID 3736 wrote to memory of 388	3736	{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe	87
PID 3736 wrote to memory of 388	3736	{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe	87
PID 3736 wrote to memory of 388	3736	{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe	87
PID 2964 wrote to memory of 320	2964	{D955F923-4041-4c55-851F-CD95E541801A}.exe	97
PID 2964 wrote to memory of 320	2964	{D955F923-4041-4c55-851F-CD95E541801A}.exe	97
PID 2964 wrote to memory of 320	2964	{D955F923-4041-4c55-851F-CD95E541801A}.exe	97
PID 2964 wrote to memory of 2520	2964	{D955F923-4041-4c55-851F-CD95E541801A}.exe	98
PID 2964 wrote to memory of 2520	2964	{D955F923-4041-4c55-851F-CD95E541801A}.exe	98
PID 2964 wrote to memory of 2520	2964	{D955F923-4041-4c55-851F-CD95E541801A}.exe	98
PID 320 wrote to memory of 5052	320	{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe	99
PID 320 wrote to memory of 5052	320	{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe	99
PID 320 wrote to memory of 5052	320	{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe	99
PID 320 wrote to memory of 1032	320	{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe	100
PID 320 wrote to memory of 1032	320	{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe	100
PID 320 wrote to memory of 1032	320	{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe	100
PID 5052 wrote to memory of 3236	5052	{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe	101
PID 5052 wrote to memory of 3236	5052	{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe	101
PID 5052 wrote to memory of 3236	5052	{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe	101
PID 5052 wrote to memory of 2068	5052	{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe	102
PID 5052 wrote to memory of 2068	5052	{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe	102
PID 5052 wrote to memory of 2068	5052	{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe	102
PID 3236 wrote to memory of 5064	3236	{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe	104
PID 3236 wrote to memory of 5064	3236	{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe	104
PID 3236 wrote to memory of 5064	3236	{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe	104
PID 3236 wrote to memory of 1928	3236	{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe	105
PID 3236 wrote to memory of 1928	3236	{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe	105
PID 3236 wrote to memory of 1928	3236	{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe	105
PID 5064 wrote to memory of 3112	5064	{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe	106
PID 5064 wrote to memory of 3112	5064	{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe	106
PID 5064 wrote to memory of 3112	5064	{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe	106
PID 5064 wrote to memory of 3616	5064	{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe	107
PID 5064 wrote to memory of 3616	5064	{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe	107
PID 5064 wrote to memory of 3616	5064	{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe	107
PID 3112 wrote to memory of 3712	3112	{39D5151C-AF83-405e-9602-0A3A425842D6}.exe	108
PID 3112 wrote to memory of 3712	3112	{39D5151C-AF83-405e-9602-0A3A425842D6}.exe	108
PID 3112 wrote to memory of 3712	3112	{39D5151C-AF83-405e-9602-0A3A425842D6}.exe	108
PID 3112 wrote to memory of 1356	3112	{39D5151C-AF83-405e-9602-0A3A425842D6}.exe	109
PID 3112 wrote to memory of 1356	3112	{39D5151C-AF83-405e-9602-0A3A425842D6}.exe	109
PID 3112 wrote to memory of 1356	3112	{39D5151C-AF83-405e-9602-0A3A425842D6}.exe	109
PID 3712 wrote to memory of 1320	3712	{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe	110
PID 3712 wrote to memory of 1320	3712	{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe	110
PID 3712 wrote to memory of 1320	3712	{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe	110
PID 3712 wrote to memory of 1648	3712	{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe	111
PID 3712 wrote to memory of 1648	3712	{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe	111
PID 3712 wrote to memory of 1648	3712	{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe	111
PID 1320 wrote to memory of 3052	1320	{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe	112
PID 1320 wrote to memory of 3052	1320	{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe	112
PID 1320 wrote to memory of 3052	1320	{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe	112
PID 1320 wrote to memory of 4564	1320	{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe	113
PID 1320 wrote to memory of 4564	1320	{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe	113
PID 1320 wrote to memory of 4564	1320	{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe	113
PID 3052 wrote to memory of 2712	3052	{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe	114
PID 3052 wrote to memory of 2712	3052	{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe	114
PID 3052 wrote to memory of 2712	3052	{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe	114
PID 3052 wrote to memory of 212	3052	{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe	115

C:\Users\Admin\AppData\Local\Temp\c5254ee4c7f095exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c5254ee4c7f095exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe
  C:\Windows\{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\{D955F923-4041-4c55-851F-CD95E541801A}.exe
    C:\Windows\{D955F923-4041-4c55-851F-CD95E541801A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe
      C:\Windows\{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Windows\{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe
        
        C:\Windows\{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
      - C:\Windows\{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe
        
        C:\Windows\{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe
        
        C:\Windows\{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\{39D5151C-AF83-405e-9602-0A3A425842D6}.exe
        
        C:\Windows\{39D5151C-AF83-405e-9602-0A3A425842D6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe
        
        C:\Windows\{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe
        
        C:\Windows\{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe
        
        C:\Windows\{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\{46F4AF35-D094-451a-A1CD-17B567B8C548}.exe
        
        C:\Windows\{46F4AF35-D094-451a-A1CD-17B567B8C548}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\{6B53AD40-B848-4912-B33C-06EBD679B97D}.exe
        
        C:\Windows\{6B53AD40-B848-4912-B33C-06EBD679B97D}.exe
        13⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46F4A~1.EXE > nul
        13⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63210~1.EXE > nul
        12⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1A11~1.EXE > nul
        11⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1B2E~1.EXE > nul
        10⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39D51~1.EXE > nul
        9⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE5E9~1.EXE > nul
        8⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3E14~1.EXE > nul
        7⤵
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D2CD~1.EXE > nul
        6⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6E62~1.EXE > nul
        5⤵
        
        PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D955F~1.EXE > nul
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0B9F3~1.EXE > nul
    3⤵
    PID:388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C5254E~1.EXE > nul
  2⤵
  PID:2432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe

Filesize
204KB

MD5
5a57c64e646e6010b8e19ebee65d3e42

SHA1
7a5f7cc0a2e92256130f2ff14b650f27d2668de4

SHA256
daaa47adb85ed221c68ae4f9458889f379bde54a932e120735fd492706d7a58f

SHA512
baae75033cbeda06a48cb100055cdd9602c3bb36ef6cb10039eae73c4a75ec790c29cf5d73d8e46d53ae8230a4c85cd3f83935b5c933388216c60f30d6e4df14

Download Submit
C:\Windows\{0B9F39AE-A54B-4cae-89E9-89A8F6E1045B}.exe

Filesize
204KB

MD5
5a57c64e646e6010b8e19ebee65d3e42

SHA1
7a5f7cc0a2e92256130f2ff14b650f27d2668de4

SHA256
daaa47adb85ed221c68ae4f9458889f379bde54a932e120735fd492706d7a58f

SHA512
baae75033cbeda06a48cb100055cdd9602c3bb36ef6cb10039eae73c4a75ec790c29cf5d73d8e46d53ae8230a4c85cd3f83935b5c933388216c60f30d6e4df14

Download Submit
C:\Windows\{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe

Filesize
204KB

MD5
60a187c46c84f5685ad92f14c94048ea

SHA1
72d2625fb48940296687764a0fa363e7f5732fad

SHA256
d70b47c9395c850f30023afc4aedb1c77d40e195e0c442ab6df50a8b67899774

SHA512
0c1c91245f53c0f989142f488d5f89c79d2f827709995d58952c44648f49ccb4e9632b976ded2077c28b9b27c57591a3bbad033e33c12bb55b851706d8578319

Download Submit
C:\Windows\{2D2CD6C9-9C63-470d-9891-B2EBF53E9AEC}.exe

Filesize
204KB

MD5
60a187c46c84f5685ad92f14c94048ea

SHA1
72d2625fb48940296687764a0fa363e7f5732fad

SHA256
d70b47c9395c850f30023afc4aedb1c77d40e195e0c442ab6df50a8b67899774

SHA512
0c1c91245f53c0f989142f488d5f89c79d2f827709995d58952c44648f49ccb4e9632b976ded2077c28b9b27c57591a3bbad033e33c12bb55b851706d8578319

Download Submit
C:\Windows\{39D5151C-AF83-405e-9602-0A3A425842D6}.exe

Filesize
204KB

MD5
3e1e33255ba88cfafe30f0b50f0bafdf

SHA1
e239bb6cba67f2cdf246e956633fb4414cbafb22

SHA256
110d159da4ae6c6602d10c2ed99d2c31edec9a1ba48ff6d2a3f673f35ac2efbf

SHA512
684cc05730bf3819f543607352cfac121349643ab5946e3e4d960e3fed954f4f0944a7e394bf44a0baae11e25750fa5141682b12db0770037e21a7bf80dfcc39

Download Submit
C:\Windows\{39D5151C-AF83-405e-9602-0A3A425842D6}.exe

Filesize
204KB

MD5
3e1e33255ba88cfafe30f0b50f0bafdf

SHA1
e239bb6cba67f2cdf246e956633fb4414cbafb22

SHA256
110d159da4ae6c6602d10c2ed99d2c31edec9a1ba48ff6d2a3f673f35ac2efbf

SHA512
684cc05730bf3819f543607352cfac121349643ab5946e3e4d960e3fed954f4f0944a7e394bf44a0baae11e25750fa5141682b12db0770037e21a7bf80dfcc39

Download Submit
C:\Windows\{46F4AF35-D094-451a-A1CD-17B567B8C548}.exe

Filesize
204KB

MD5
44e811408131d16f3018784bc9f2d661

SHA1
0e733b970dd643ddf27d59cb28036c6bab009b67

SHA256
7eb33233bd67926fa55cfdd7b5ba358cfc7b86fa30650a1cc9eae5e6abb60364

SHA512
80b9419f9430b693a94471beaf37d405fe74fa416e928e2d1cd8d22890ec96b146625e059554f28cd721ff411704593b7d32b86680940971d8136f8baff72fdb

Download Submit
C:\Windows\{46F4AF35-D094-451a-A1CD-17B567B8C548}.exe

Filesize
204KB

MD5
44e811408131d16f3018784bc9f2d661

SHA1
0e733b970dd643ddf27d59cb28036c6bab009b67

SHA256
7eb33233bd67926fa55cfdd7b5ba358cfc7b86fa30650a1cc9eae5e6abb60364

SHA512
80b9419f9430b693a94471beaf37d405fe74fa416e928e2d1cd8d22890ec96b146625e059554f28cd721ff411704593b7d32b86680940971d8136f8baff72fdb

Download Submit
C:\Windows\{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe

Filesize
204KB

MD5
36a1dc086686cba89e33f1c9923f2242

SHA1
8c6b958126e22da054f0282714436e3cefb37598

SHA256
a1442d8780c3fe2c08b74fdbfa304db7ad9eb154434ede39cac1ac21cbe238f7

SHA512
c82d6529c058cb325dbf933adc07ff75157d0259028d5c6b546662fb0d37c7766337256eaf7f844c207a48a4aeeb38a474c5499d3e62641804ac32ea9722e5e3

Download Submit
C:\Windows\{6321056D-E0EC-4075-9AA6-EAB9EA77FFC6}.exe

Filesize
204KB

MD5
36a1dc086686cba89e33f1c9923f2242

SHA1
8c6b958126e22da054f0282714436e3cefb37598

SHA256
a1442d8780c3fe2c08b74fdbfa304db7ad9eb154434ede39cac1ac21cbe238f7

SHA512
c82d6529c058cb325dbf933adc07ff75157d0259028d5c6b546662fb0d37c7766337256eaf7f844c207a48a4aeeb38a474c5499d3e62641804ac32ea9722e5e3

Download Submit
C:\Windows\{6B53AD40-B848-4912-B33C-06EBD679B97D}.exe

Filesize
204KB

MD5
cd5c825f81d6361f403392b54c61753e

SHA1
c5851e17c8c00d5b312ff587d495588d19e43f01

SHA256
49fcabcfb1bbc77f308022b19ab491523cdefdb07513ff4fd76e375c84191cf3

SHA512
dcb482f46a9aacd7be3d219c1ee21ef46f0784fb2b1807e22757dea3b6b11a6f987f31c175828e6075fb5c78eb3434cad6cec34ec3fb56f979de2397c25e2efa

Download Submit
C:\Windows\{6B53AD40-B848-4912-B33C-06EBD679B97D}.exe

Filesize
204KB

MD5
cd5c825f81d6361f403392b54c61753e

SHA1
c5851e17c8c00d5b312ff587d495588d19e43f01

SHA256
49fcabcfb1bbc77f308022b19ab491523cdefdb07513ff4fd76e375c84191cf3

SHA512
dcb482f46a9aacd7be3d219c1ee21ef46f0784fb2b1807e22757dea3b6b11a6f987f31c175828e6075fb5c78eb3434cad6cec34ec3fb56f979de2397c25e2efa

Download Submit
C:\Windows\{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe

Filesize
204KB

MD5
d62dff7ae490bb2ca8b15f933c665814

SHA1
b002b76e991fabada1d50f9435d261971252377c

SHA256
4fd03c87c291ca234997fd3fe44fc8404c1597a2d888d4ca91cbb36bda2ab135

SHA512
474dd21eb931be3a2fccdc72ee5d162f71442a0fb485248f0280425e8bd491b05847670adf4a276bf3be926071aa0976a430c2fb9584486ea16c4ea9748c59ac

Download Submit
C:\Windows\{A1A11F70-FB0D-401a-B925-1A9376BCE73A}.exe

Filesize
204KB

MD5
d62dff7ae490bb2ca8b15f933c665814

SHA1
b002b76e991fabada1d50f9435d261971252377c

SHA256
4fd03c87c291ca234997fd3fe44fc8404c1597a2d888d4ca91cbb36bda2ab135

SHA512
474dd21eb931be3a2fccdc72ee5d162f71442a0fb485248f0280425e8bd491b05847670adf4a276bf3be926071aa0976a430c2fb9584486ea16c4ea9748c59ac

Download Submit
C:\Windows\{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe

Filesize
204KB

MD5
2eb25093f629092fef88273b378cacdb

SHA1
91e05c71fae5d77a97e825b00e23647134a1b1dd

SHA256
746fb140a2f10fb42eacc7e3c7c15cf449d9ad33c0c5a8837fb80c2bda9e91e9

SHA512
e1fe5446553886885607ee7aabd9e3a138381606086b234d804660712e3955078fb91723765b8ccfc748af0bb73042f4e4ee774feefe5386c88d287c8b2e8d68

Download Submit
C:\Windows\{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe

Filesize
204KB

MD5
2eb25093f629092fef88273b378cacdb

SHA1
91e05c71fae5d77a97e825b00e23647134a1b1dd

SHA256
746fb140a2f10fb42eacc7e3c7c15cf449d9ad33c0c5a8837fb80c2bda9e91e9

SHA512
e1fe5446553886885607ee7aabd9e3a138381606086b234d804660712e3955078fb91723765b8ccfc748af0bb73042f4e4ee774feefe5386c88d287c8b2e8d68

Download Submit
C:\Windows\{B6E620F8-A4E9-4c5e-A6C8-5F13866CFC2B}.exe

Filesize
204KB

MD5
2eb25093f629092fef88273b378cacdb

SHA1
91e05c71fae5d77a97e825b00e23647134a1b1dd

SHA256
746fb140a2f10fb42eacc7e3c7c15cf449d9ad33c0c5a8837fb80c2bda9e91e9

SHA512
e1fe5446553886885607ee7aabd9e3a138381606086b234d804660712e3955078fb91723765b8ccfc748af0bb73042f4e4ee774feefe5386c88d287c8b2e8d68

Download Submit
C:\Windows\{D955F923-4041-4c55-851F-CD95E541801A}.exe

Filesize
204KB

MD5
cf25897ca096f6ca6be84dc36269479c

SHA1
32c2bd3e28699e4919e03163ecbbc7a5bf26fd7d

SHA256
73b74aa2c66d6f3de824a24f5670a324c8169cdc14ff41eb07c0bd616dda22c6

SHA512
779cebae3f705da5cff13096a16603ae7cc387e0af5cf561b38094ff1f9bdf7dff7c412a4fd58161eec069ecdb9303031f29e97865f41b5b4bb70982b5bf42c2

Download Submit
C:\Windows\{D955F923-4041-4c55-851F-CD95E541801A}.exe

Filesize
204KB

MD5
cf25897ca096f6ca6be84dc36269479c

SHA1
32c2bd3e28699e4919e03163ecbbc7a5bf26fd7d

SHA256
73b74aa2c66d6f3de824a24f5670a324c8169cdc14ff41eb07c0bd616dda22c6

SHA512
779cebae3f705da5cff13096a16603ae7cc387e0af5cf561b38094ff1f9bdf7dff7c412a4fd58161eec069ecdb9303031f29e97865f41b5b4bb70982b5bf42c2

Download Submit
C:\Windows\{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe

Filesize
204KB

MD5
cd922132ca82ece662d3f55cb748a407

SHA1
028578a471b12d15df6e427495d1ff08f80e1c7a

SHA256
287fa905a5642fd5a6763caad2a379f14d15f6add80adc7e6cbd024b8c74e080

SHA512
a1df7dbc483d720ede8c1c0f4231ec6633a2bc6ac75a2bd3fe0faee87321158c1930dd19e2e47e736e64a25912c3a00abc0c98bbcc3db4109bf5dcd5334a5876

Download Submit
C:\Windows\{EE5E9260-345F-4963-8E4F-BEE98B6B5F7C}.exe

Filesize
204KB

MD5
cd922132ca82ece662d3f55cb748a407

SHA1
028578a471b12d15df6e427495d1ff08f80e1c7a

SHA256
287fa905a5642fd5a6763caad2a379f14d15f6add80adc7e6cbd024b8c74e080

SHA512
a1df7dbc483d720ede8c1c0f4231ec6633a2bc6ac75a2bd3fe0faee87321158c1930dd19e2e47e736e64a25912c3a00abc0c98bbcc3db4109bf5dcd5334a5876

Download Submit
C:\Windows\{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe

Filesize
204KB

MD5
3fd6f14e588381b5f37ceb6037102e5c

SHA1
5000648a960fd37e1ca5dae67cf875e5aece5dd9

SHA256
4d3ccf14a62a0277517c5b33226f0a907d122d512bbb8888e8763db1051306e3

SHA512
258683489cb8c04280fe1e9a2a892c4bad02add3b1ce1aeb4b9a8d86c8f2dbb968c645ade22f2ebb52e8922911629371ccabc5aca6ab9810f4eaaa94357fa47b

Download Submit
C:\Windows\{F1B2E5C2-C63D-4488-B588-46E75FDBF289}.exe

Filesize
204KB

MD5
3fd6f14e588381b5f37ceb6037102e5c

SHA1
5000648a960fd37e1ca5dae67cf875e5aece5dd9

SHA256
4d3ccf14a62a0277517c5b33226f0a907d122d512bbb8888e8763db1051306e3

SHA512
258683489cb8c04280fe1e9a2a892c4bad02add3b1ce1aeb4b9a8d86c8f2dbb968c645ade22f2ebb52e8922911629371ccabc5aca6ab9810f4eaaa94357fa47b

Download Submit
C:\Windows\{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe

Filesize
204KB

MD5
8466239a99642b43dc156db1500c714e

SHA1
0abf4700258a7e68ad589257d6c650379d49dead

SHA256
53cb31597499a36dfaf7fc7b5f1763bf4cc24fdd597150c063d717f60e59ff29

SHA512
1368de85db996ab9f827ff12b68acfebc9aa4d245f266c1aa5c615be7e5329da0a81d9745767c58fd8d9890c8575f334a679ad78d628677a2e9c137eb8a7d218

Download Submit
C:\Windows\{F3E14954-1FE2-4e57-B9FB-FF646EE4668B}.exe

Filesize
204KB

MD5
8466239a99642b43dc156db1500c714e

SHA1
0abf4700258a7e68ad589257d6c650379d49dead

SHA256
53cb31597499a36dfaf7fc7b5f1763bf4cc24fdd597150c063d717f60e59ff29

SHA512
1368de85db996ab9f827ff12b68acfebc9aa4d245f266c1aa5c615be7e5329da0a81d9745767c58fd8d9890c8575f334a679ad78d628677a2e9c137eb8a7d218

Download Submit